Protection of Technical Vulnerability Information

Oracle also maintains strong controls over the technical description of security vulnerabilities in Oracle code. Oracle’s Security Vulnerability Information Protection Policy defines the classification and handling of information related to product-security vulnerabilities and requires that information concerning security bugs be recorded in a tightly controlled corporate database.

Applicability of Oracle Software Security Assurance to Oracle Cloud

Oracle Cloud largely relies on Oracle products that are subject to Oracle Security Assurance activities. Oracle-developed code used solely in the cloud, that is, code that is not used in on-premises product distributions, is also subject to Oracle Software Security Assurance.

Prohibition of Backdoors in Oracle Code

Oracle’s policies prohibit the introduction of backdoors into its products. Backdoors are deliberately (and maliciously) introduced code intended to bypass the security controls of the application in which it is embedded. Backdoors do not include:

Unintentional defects in software that could lead to a weakening of security controls (security bugs)

Undocumented functionality designed to be generally inaccessible by customers but serves a valid business or technical purpose (diagnostics and troubleshooting utilities)

Oracle also carefully vets third-party software and hardware to avoid the use of products: